Does the cooldown option for dependabot also affect transitive dependencies?

[mattesja]

Select Topic Area

Question

Body

Does the cooldown option also affect transitive dependencies for npm (or other packages managers)?

Especially in the node ecosystem supply-chain-attacks on npm packages are a big risk, which would be included via transitive dependencies in the build.

Update: Update transitive dependency did not use cooldown option in my trial

I've just tested the cooldown feature with a dummy repo. It seems, that dependabot does not recognize the cooldown option for transitive dependencies.

Here's what I've tested:

I've create a repo with some old dependencies https://github.com/mattesja/node-devcontainers:

• @babel/compat-data which was updated 21 days ago: https://www.npmjs.com/package/@babel/compat-data/v/7.28.4?activeTab=versions
• @jest/core which was updated 24 days ago and references compat-data https://www.npmjs.com/package/@jest/core/v/30.1.0?activeTab=versions

I've configured dependabot with a cooldown period of 23 days.
I expect, that @jest/core is updated to the current version, but @babel/compat-data only to 7.28.0

As a direct dependency @babel/compat-data is only updated to 7.28.0
Check package-lock.json in https://github.com/mattesja/node-devcontainers/pull/3/files#diff-053150b640a7ce75eff69d1a22cae7f0f94ad64ce9a855db544dda0929316519

direct dependency is updated to correct version:

"node_modules/@babel/compat-data": {
      "version": "7.28.0",

But as a transitive dependency @babel/compat-data is updated to 7.28.4
Check line 875 of package-lock.json in
https://github.com/mattesja/node-devcontainers/pull/4/files#diff-053150b640a7ce75eff69d1a22cae7f0f94ad64ce9a855db544dda0929316519R875

transitive dependency is updated to unwanted newest version:

    "node_modules/@jest/transform/node_modules/@babel/compat-data": {
      "version": "7.28.4",

Question

Is there a mistake in my test or are transitive dependencies currently not supported for the cooldown option?

[Aayushman-Gupta]

Subject: Re: Dependabot cooldown and transitive dependencies

@mattesja Absolutely!! The mechanism you're referring to as a "cooldown"—properly called dependency grouping—is fully effective for updates triggered by transitive dependency vulnerabilities. It's a critical workflow for mitigating supply-chain risks without creating PR fatigue.

Imagine your project is a car.

1)You chose the engine (this is your direct dependency, a package you added yourself).
2)You don't know it, but the engine manufacturer used a specific spark plug from another company (this is your 'hidden' or transitive dependency).
3)A safety recall is issued for that spark plug. It's dangerous!
4)Dependabot won't tell you to go buy a new spark plug. Instead, it sees that the engine manufacturer has released a new, updated engine (engine v1.1) that already includes the new, safe spark plug.
5)Dependabot simply creates a request to "Upgrade your engine to v1.1."

The process is robust. Dependabot identifies the issue in the transitive dependency and creates a PR for the direct one. Your grouping rules then catch that PR, bundling it as configured. This lets you maintain a strong security posture without getting overwhelmed

[mattesja]

I think there's a misunderstanding between grouping and transitive dependencies.

I've added my tests to my question.

[mattesja]

Any idea why in my test (see my updated question) cooldown didn't work for transitive dependencies?

This is my dependabot.yml

version: 2
updates:
  - package-ecosystem: npm
    directory: "/"
    schedule:
      interval: daily
    # Cooldown period before Dependabot proposes updates
    cooldown:
      default-days: 23

I only used default-days instead of days as I found this in the official docs.

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬